Optimistic Mixing for Exit-Polls Philippe Golle, Stanford Sheng Zhong, Yale Dan Boneh, Stanford Markus Jakobsson, RSA Labs Ari Juels, RSA Labs

Mix Server A mix server is a cryptographic implementation of a hat. InputsOutputs ? Mix Server Proof

Mix Network Server 1Server 2Server 3 InputsOutputs ??? Proof 2.Verify the proofs of correct mixing: OK: accept the output Otherwise: remove cheaters and mix again If a single mix server is honest, global permutation is secret. 1.Servers sequentially mix the inputs

Applications Other applications –Anonymous payments –Anonymous channels All these applications require efficient schemes Anonymous voting 1.Votes submitted to the mix 2.Votes are mixed 3.Verify correct mixing (expensive): OK: decrypt the votes & announce results of election Otherwise: remove cheater and mix again

Properties Privacy: outputs can’t be matched to inputs Correctness: outputs match inputs Robustness: an output is produced regardless of possible mix server failures or bad inputs Verifiability: local or universal Efficiency

Our contribution Optimistic mixnet –If all servers mix correctly, verification extremely fast –If a server cheats, verification slower Application: exit-polls Note: Cheating by users has (almost) no impact 1.Servers sequentially mix the inputs 2.Verify the proofs of correct mixing [expensive] OK: accept the output [the usual case] Otherwise: remove cheaters and mix again [very rare]

Comparison of proofs of correct mixing Cut and Choose ZK [SK95,OKST97] 642nk Pairwise Permutations [JJ99,Abe99] 14nk·log n Matrix Representation [FS01] 36nk Polynomial Scheme [Nef01] 16nk Randomized Partial Checking [JJR01] nk Global privacy Proof of Subproduct [BG02] αkαk Near-correct Optimistic Mix [GZBJJ02] 3 + 3Nk Optimistic n = number of inputs k = number of servers

Optimistic Mixing

Zoology of Mix Networks Decryption Mix Nets [Cha81,…]: –Inputs: ciphertexts –Outputs: decryption of the inputs. Re-encryption Mix Nets [PIK93,…]: –Inputs: ciphertexts –Outputs: re-encryption of the inputs InputsOutputs ?

ElGamal Cryptosystem ElGamal is a randomized public-key cryptosystem Plaintexts in a group G of prime order q Ciphertexts are pairs (a,b) where a,b in G. Malleable: E r (m)  E r+s (m) ZK proof that two CT decrypt to the same PT (1 exp) Multiplicative homomorphism: E(m), E(m’)  E(mm’)

Re-encryption Mixnet 0.Setup: mix servers generate a shared ElGamal key 1. Users encrypt their inputs: Input Pub-key 3. A quorum of mix servers decrypts the outputs Output Priv-key Server 1Server 2Server 3 re-encrypt & mix re-encrypt & mix re-encrypt & mix 2. Encrypted inputs are mixed: Proof

Problem Mix servers must prove correct re-encryption –Inputs: n ElGamal ciphertexts E(m i ) –Outputs: n ElGamal ciphertexts E(m’ i ) Mix proves that there is a permutation π such that: without revealing π.

Our techniques to Prove Correct Re-encryption 1.Proof of product with checksum: V erification that the mix is product-preserving 2.Double-enveloppe: Inputs are encrypted twice

Proof of Product Mix server: –Receives: n ElGamal ciphertexts E(m i ) –Produces: n ElGamal ciphertexts E(m’ i ) Observations: –Honest mix can always give this proof –Verification is necessary but not sufficient –Idea: append a cryptographic checksum to the inputs Verifier: –Computes: E(  i=1 m i ) and E(  i=1 m’ i ) –Ask Mix for ZK proof that these CT decrypt to same PT. n n

Proof of Product with Checksum Inputs: m i = E( Input || Checksum(Input) ) Outputs: m’ i = E( Input || Checksum(Input) ) Proposition: If –All input checksums are correct –  m i =  m’ i –All output checksums are correct Then {m i }={m’ i } with all but negligible probability

Proof of Product with Checksum 1.Submission of inputs E(m i ) = 2.Mixing 3.Each mix proves E(  m i ) = E(  m’ i ) Mixes which fail are kicked out 4.Decryption m i = Input || Checksum(input) 5.Verification of checksum: All checksums OK  {m i }={m’ i } Otherwise: either a mix or a user cheated Input || Checksum(input)

Incorrect Output Checksums Cheating by user: –Input submitted with incorrect Checksum –We do not (can not) verify that input checksums OK –This cheating is harmless Cheating by mix server: –One (or several) servers produced corrupted output(s) –This cheating is serious: The mix server can trace selected inputs The harm is already done by the time cheating is discovered

Double Envelope Input || Checksum(input) Input || Checksum ( Input ) Replace with

Optimistic Mixnet 1.Submission of inputs E(m i ) = 2.Mixing 3.Each mix proves E(  m i ) = E(  m’ i ) Mixes which fail are kicked out 4.Partial decryption m i = Input || Checksum( input ) 5.Verification of checksums… Input || Checksum ( Input )

Optimistic Mixnet (cont’d) 5.Verification of checksum: All checksums OK  {m i }={m’ i } We are done! Otherwise: either a mix or a user cheated 6.Investigation of user cheating: Mixes must trace every bad output to a bad input. No privacy for cheating users! If every bad output successfully traced, We are done! 7.Otherwise mix servers cheated: The checksums are discarded The Inputs are mixed again with standard mix

Properties of Optimistic Mixnet Privacy: for honest users only Correctness: OK (if discrete log is hard in Z p ) Robustness: up to a minority of faulty servers Efficiency: –Mix: 6n exponentiations –Proof: 3 + 3Nk exponentiations –Plus cost of alternative decryption if a mix server cheats –The expensive operation is the mix, not the proof.

Conclusion Optimistic mix based on 2 new techniques: –Proof of product with checksum –Double envelope Optimistic mix is extremely fast when no server cheats. Cheating by users has minimal impact on performance When a server cheats: –Cheating is detected –It does not compromise the privacy of users –It only causes the mix to run slower Application: exit-polls